What is Vault?
HashiCorp Vault is an identity-based secrets and encryption management system. Secrets are anything you want to tightly control access to, such as API encryption keys, passwords, and certificates. Vault provides encrypted services gated by authentication and authorization methods. Access to confidential and other sensitive data can be securely stored and managed, tightly controlled (restricted), and audited using Vault's UI, CLI, or HTTP API.
Modern systems require access to a large number of secrets, including database credentials, API keys for external services, credentials for service-oriented architecture communications, and more. It can be difficult to understand who is accessing which secrets, especially since this can be platform-specific. Adding key rollover, secure storage, and detailed audit logs is nearly impossible without a custom solution. This is where Vault steps in.
Vault authenticates and authorizes clients (users, machines, applications) before providing access to confidential or stored sensitive data.
How Vault works
Vault primarily uses tokens, which are associated with the client's policies. Each policy is path-based, and policy rules restrict the actions and accessibility of each client's path. With Vault, you can manually create tokens and assign them to your customers, or customers can log in and get tokens. The diagram below shows Vault's core workflow.
The core Vault workflow consists of four stages:
- Authentication: Authentication in Vault is the process by which clients provide information that Vault uses to determine if they are